I again am one of those inflicted with the trojan.vundo virus. I have read MULTIPLE threads on this problem, including some in here. I have tried MANY solutions and none seem to work. So i'm going to post what i've tried and hopefully someone can help me with this:

Norton keeps popping up with the Trojan.Vundo detected in file ssqqn.dll in system32. Unable to repair. The NAV scan reveals that i have the virus but can't quarantine or delete or fix it. Norton's Vundo removal tools (both regular one and Vundo.B) wont detect vundo in either safe or regular mode.

So i downloaded process explorer and killbox. I can only suspend explorer.exe but NOT winlogon. I can kill all instances of the dll run in explorer, but i think winlogon runs one as well, i can't tell because its just the address, but i can't kill it and a search for dlls in process explorer says winlogon also uses it.

I can't delete the files on reboot either with killbox since everytime i try to do that the trojan automatically removes the registry entries that mark them for deletion.

Through HJT I can remove the problems but everytime I do that the trojan re-adds them as soon as they are removed.

I even did this manually through regedit and removed all registry entries with the 2 infected dlls:
ssqqn.dll and
wfwfaxui.dll
Everytikme i exited regedit the entries were added!
STILL NOTHING

I even tried the suggestion of creating batch files to be run through regedit Run and through startup folder and this had no success in deleting files.

Ewido doesn't help either in safe mode or otherwise.

I'm truely lost guys. PLEASE HELP!!!

To clean your system of viri and malware first boot into Safe Mode (no networking). Then do your scans.

98% of the population is asleep. The other 2% are staring around in complete amazement, abject terror, or both.

hi rane3
try unregistering both dll`s by doing this:
regsvr32 /u c:\win32\ssqqn.dll
regsvr32 /u c:\win32\wfwfaxui.dll
all the best,
murve

hi rane3,
sorry rane, its thanksgiving here in the great white north, too much vino,you will have to hit the start button, then the run command and in the box type in each command separately then hit the ok key.
this will unregister each dll and they will not return to haunt you.
unregister both dll`s by doing this:
regsvr32 /u c:\win32\ssqqn.dll
regsvr32 /u c:\win32\wfwfaxui.dll
all the best,
murve

Yea,this little pest is causing a lot of heart burn.

It's been a while since your post but if you still need help try it this way.

Print these instructions

The rest of the fix will need to be done in safe mode.

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ssqqn.dll and wfwfaxui.dll
once and then click the kill button.

After you have killed all of the ssqqn.dll's and the wfwfaxui.dll's under winlogon click ok.

Next look for ssqqn and look for any .ini or bak files or other dll's with either the same name or the file name in reverse (nqqss) & kill them as well (write down the name and full path of any you find, you will need to delete them later)Do the same for wfwfaxui.dll

Now double click on explorer.exe and again click once on each instance of ssqqn.dll then click the kill button.

Then also look for any .ini or bak files or reverse named dll's with either the same name or the file name in reverse & kill them as well.Do the same for wfwfaxui.dll. You may have found these already but look again.

Click on the Threads tab at the top.

Once you have done that click ok again.

Form here I use Hijack This to delete the 02 and 020 items with the infected dll's in your case ssqqn and wfwfauxi, so far.

Copy the text in the Code box below(just the text between the lines), and paste it into a blank notepad window.

Save it as vundo.reg and in the save as type box choose all files.

Once you have saved it double click it and allow it to merge with the registry.

----------------
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{581F22DA-7202-4F21-AEF3-114787156016}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]

----------------

Now run killbox and type The FIRST ONE of the below lines into the box, select delete on reboot then press the red X button, say Yes to the prompt but No to reboot now.

C:\WINDOWS\system32\ssqqn.dll and C:\WINDOWS\system32\wfwfauxi.dll

Then continue to type the lines in, in turn, and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply.

Then repeat by typing in the full name of any of the reverse named .bak or .ini or other files that you discovered in the previous if there were any.

After you have input the last file name then click Yes to the first prompt, and Yes to Reboot now.

If your computer does not restart, restart it manually.

Zenith: All this was done in safe mode.

murve: I have tried regsvr32 -u on both files in safe mode, i can't unregister them!

jabuck: There is no running process that uses wfwfaxui.dll, in process explorer. The only instances of ssqqn.dll (reverses or inis or baks don't exist) is in explorer. I can kill those but i still can't delete the files or have killbox delete them. I should also note that ssqqn.dll is used/run by winlogon but in the threads window there's no such file, just all address numbers. In explorer there's 4 instances of ssqqn.dll ONLY and thats it.
I also took at look at the reg keys you told me to put into my file. I'm assuming it deletes those keys and these are the ones that load ssqqn and wfwfaxui. In my case those numbers are wrong. I've locatred the right ones, in my case only one:
{6DD0BC06-4719-4BA3-BEBC-FBAE6A448152}
And modified your suggestion accordingly. I will try what you said exactly as you said and let you know of further updates.

Be sure to enter a file path into killbox even if you don't find it for C:\WINDOWS\system32\wfwfaxui.dll and delete. And If you have Hijack This post a log when you finish.

I think the main problem i'm having is terminating the processes. I can only see ssqqn.dll in explorer.exe nothing in winlogon. So i kill all of these.

But when i try to remove regitry values they are added as soon as they are removed. Same as HJT values, i run the HJT scan, remove the items and immediately after run a scan again and there they are! Same thing happens with the .reg file i import. I import them i see the values deleted as i have regedit running and then i refresh and they're back.

I have also tried CopyLock to delete the files, here is says they are used by both winlogon and explorer but in kill process i can't see anything in winlogon, besides memory addresses (i think).

This was all done in safe mode.

Here's my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:12:05 PM, on 10/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Documents and Settings\Rane3\Desktop\lfw.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\cidaemon.exe
C:\Documents and Settings\Rane3\Desktop\New Folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINNT\system32\ssqqn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Merriam-Webster Online - {B7B76DD6-B6F0-4443-AF81-6A3ECF12A57D} - C:\WINNT\_MWOLTB.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [my prog] c:\me.bat
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [my prog] C:\me.bat
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: MWOL &Dictionary - res://C:\WINNT\_MWOLTB.DLL/23/219
O8 - Extra context menu item: MWOL &Thesaurus - res://C:\WINNT\_MWOLTB.DLL/23/220
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {3CF32649-D1C0-4F42-AB44-ED284748920B} (Merriam-Webster Online Toolbar) - http://m-w.com/toolbar/webinstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{49BE4A5C-BA61-45EC-BD7D-FF9429289928}: NameServer = 192.168.1.1
O20 - Winlogon Notify: App Paths - C:\WINNT\system32\wfwfaxui.dll
O20 - Winlogon Notify: ssqqn - C:\WINNT\system32\ssqqn.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

PS I forgot to mention, when i use killbox to delete these files on the last one when i click YES to reboot it says:

Veryfiying Registry Values... Plz Wait

Then it pops up with:

PendingFileRenameOperations Rgistry data has been removed by External process. Again I assume this is caused by not being able to terminate all instances of ssqqn.dll

Lets try it a different way with a different tool that may be more up to date.

Download http://www.atribune.org/downloads/VundoFix.exe

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.

After the files are extracted, reboot your computer into Safe Mode.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning and a list of forums to seek help at.
it should look like this:

VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net

At this point press enter one time.

Next you will see:

Type in the filepath as instructed by the forum staff

Then Press Enter, Then F6, Then Enter Again to continue with the fix.

At this point please type the following file path of your ssqqn.dll infection.

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

Next you will see:

Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.

At this point please type the path to your wfwfaxui.dll infection.

Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

Then delete these items with HT.

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINNT\system32\ssqqn.dll

O20 - Winlogon Notify: App Paths - C:\WINNT\system32\wfwfaxui.dll

O20 - Winlogon Notify: ssqqn - C:\WINNT\system32\ssqqn.dll

Then do a google search for panda and run their online scan.

I need help too please. I was hit with this Trojan Vundo and I have gone and downloaded both versions of the repair file from symantec and neither one work. I am not that good with this kind of stuff and have read some of the above directions and get lost. someone please help. I have c:\windows\system32\pmnnn.dll. I am going nuts since I have been trying to remove this since 12pm and it has ruined my thanksgiving.....

There was no luck with the vundofix, mind you i'd already tried that previosuly, but i tried it again. Same problem it can't seem to delete ssqqn.dll because its in use by another process. Also it wont reboot, just sits there and when i hit enter it errors and says its missing a file.

Scanning with Panda now. Mind you i've also somehow managed to get infected by Look2Me. Which ewido keeps detecting when i bootup normally, but wont seem to clean in safe mode ... :(

Any more suggestions?

Soon as panda's done i'll post again.

This is probably the problem then. Type the file paths this way:

C:\Windows\System32\ssqqn.dll

C:\Windows\System32\nqqss.dll

C:\Windows\System32\wfwfaxui.dll

C:\Windows\System32\iuxafwfw.dll

Then download Adaware Se. After you get it downloaded go back to there website and download the vx2 cleaner on the right side of the page and run it as directed. It should get the Look2Me infection.

Since i'm running win2k i assume my paths are

C:\WINNT\system32\ssqn.dll, etc?
Or least least thats what they look like in explorer and dos prompt.

I never knew windows was case sensitive? But in any case i'll try it with new case right after panda and adaware both finish, and post more again.

Yes, and I don't think it is case sensitive but try it. The important thing is to run the dll in reverse.

Most people write like this C:\WINNT\SYSTEM32\ssqn.dll

I really don't think thats the problem. Case-sensitivity has never been an issue in windows or dos.

Vundofix is still a no go. A word of caution there. The reg file that's supposed to fix your reg wont actually do anything if your reg key values don't match up with the ones in the file. Seems like mine are far off. I changed it but still no luck.

If i could somehow suspend or terminate winlogon i'd be fine, but i can't. Nonthing will allow me ot suspend it or kill any active dlls it has loaded, they're all protected.

I've tried TOO many things. Panda was tkaing too long so i quit it. The VX2 update for ad-aware says it might have found a new version of the virus and advises me to send winlogon.exe to them. Ewido auto-protect keeps detecting and cleaning Look2Me, but it wont actually run in normal mode only in safe mode. I still keep getting the virus though.

This is turning into a real pain never has a trojan caused me such hassle and never have I not been able to find help.

I think my final resort will be to wipe my HDD clean and re-install everything. After all its been a few good years running a stable good ol' windows OS, time for a new install ....

GRRRRR!!!!

PS: wfwfaxui.dll has vanished only to be replaced by nkrsptb.dll in HJT.

PPS: How can i enter 4 filepaths in vundofix? I htought it was only one at a time then enter then F6 then enter again. If i'm going ot enter two at one prompt how will that work?

Thanks for your time jabuck!

You enter one path and press enter, press F6, press enter again.... then you enter the next path press enter, press F6, then press enter again,etc.

You're only allowed to do that twice. So if you had 4 paths then you'd be left with 2 extra.

Does anyone else have anything i haven't tried yet?

I also had the Vundo virus. I realized I had it on Friday evening, and I spent about 8 hours trying to fix it. All these suggestions seem very complex and if you are computer illiterate it would be hard to follow. This is an easy answer .. this is what I did.

I downloaded the free trial version of spy sweeper. I ran the sweep and it detected the adware Vundo but it also told me that a threat was running in memory and to reboot my computer before it could be removed. So I did that .. but when my computer was fully rebooted the virus was back. I searched on the spy sweeper site and this is what I learned:
If you are on Cable, disconnect it. Also, shut off your system restore and then shut all power off to your machine for at least 30 seconds before you start (this way the virus will not be running in the memory). Start your computer in Safe Mode using the F8 key. Sweep your machine again with the Spy Sweeper (NAV also tells me that you should scan for the virus in safe mode, but spy sweeper fixed it before I could try that theory). As soon as Spy Sweeper detected the Vundo adware I stopped the scan and removed it. I checked the Quarantine and it was there and I deleted it from there as well. I shut down my machine again (do not use 'restart') and rebooted again in Safe Mode and this time did a full sweep with Spy Sweeper and it did not detect it at all!! To be sure I shut down again and then did a full NAV scan. The VUNDO is history! Make sure to shut off your System Restore before you begin removing the virus and turn it back on before you do your final Norton's Antivirus scan. That's it! I hope it works as well for you as it did for me.

simpler solution can be found at http://www.spywaredb.com/remove-win32-vundo-522752trojan/

Spy Sweeper works. Don't use "kill Box" or "Hijack this" because you can damage your registry if you don't know what your doing.Download free trial of Spy Sweeper and install. Restart your computer in Safe Mode and scan. Make sure that your internet connection,file sharing and system restore are turned off. When Spy sweeper picks up the malware stop the scan and hit next. It will tell you to retart the computer. Do a hard restart and scan again. You will now be able to remove the trojan. Good Luck

I did it ! I killed vundo ! Using Webroots free 14-trial copy of "SPYSWEEPER". It was easy and it didn't cost anything.I'm going to buy the full copy now. After i rebooted i ran norton antivirus scan again and it found nothing... not even that annoying red virus alert window.
I to have been trying for many days to get Symantec's norton anti-virus to kill the vundo virus. My conclusion is symantec is a waste of time and money. Maggie_333 you are a godsend. Thanks for posting your recipe of removal.

spy sweeper worked for my computer, i had this trojan vundo virus for a week couldnt get rid of it, i did the spy sweeper and it worked , thank you to all who mentioned spy sweeper

Also had this trojan for a couple of weeks. The Norton "fixes" did not work at all. In fact, right after they told me the computer was free of the thing, the Norton red alert went on eternal flash, totally jamming up my computer. SpySweeper to the rescue!

BTW, I ended up running the SpySweeper scan in regular mode because I couldn't get the "safe mode" to work -- perhaps because of Norton jamming things up? I disabled the system restore & Norton AV autoprotect, and ran SS. I've since done several scans and the thing seems to be gone, gone, gone.

Does anyone know what website(s) this stuff spews from?

Thanks to all for good advice, and good luck.

Vundo creates a random filename.dll and opens it even in safe mode, making it impossible to delete. If you have a fat32 files system, make a startup floppy, boot with it and delete the .dll in dos mode. If you have NTFS, its more difficult. I have 2 drives with an operating system on each one. To get rid of the offending DLL, I booted on drive2 allowing me to delete the file. As far as I can tell, its impossible to delete the file with the same operating system that it infects. Having a second bootable hard drive is very handy for deleting file the OS would normally have open.